Magazine

Network Security Breaches Plague NASA

Repeated attacks from abroad on NASA computers and Web sites are causing consternation among officials and stirring national security concerns

America's military and scientific institutions—along with the defense industry that serves them—are being robbed of secret information on satellites, rocket engines, launch systems, and even the Space Shuttle. The thieves operate via the Internet from Asia and Europe, penetrating U.S. computer networks. Some of the intruders are suspected of having ties to the governments of China and Russia, interviews and documents show. Of all the arms of the U.S. government, few are more vulnerable than NASA, the civilian space agency, which also works closely with the Pentagon and American intelligence services.

In April 2005, cyber-burglars slipped into the digital network of NASA's supposedly super-secure Kennedy Space Center east of Orlando, according to internal NASA documents reviewed by BusinessWeek and never before disclosed. While hundreds of government workers were preparing for a launch of the Space Shuttle Discovery that July, a malignant software program surreptitiously gathered data from computers in the vast Vehicle Assembly Building, where the Shuttle is maintained. The violated network is managed by a joint venture owned by NASA contractors Boeing (BA) and Lockheed Martin (LMT).

Undetected by the space agency or the companies, the program, called stame.exe, sent a still-undetermined amount of information about the Shuttle to a computer system in Taiwan. That nation is often used by the Chinese government as a digital way station, according to U.S. security specialists.

By December 2005, the rupture had spread to a NASA satellite control complex in suburban Maryland and to the Johnson Space Center in Houston, home of Mission Control. At least 20 gigabytes of compressed data—the equivalent of 30 million pages—were routed from the Johnson center to the system in Taiwan, NASA documents show. Much of the data came from a computer server connected to a network that tracks malfunctions that could threaten the International Space Station.

BEYOND HACKERS

Seven months after the initial April intrusion, NASA officials and employees at the Boeing-Lockheed venture finally discovered the flow of information to Taiwan. Investigators halted all work at the Vehicle Assembly Building for several days, combed hundreds of computer systems, and tallied the damage. NASA documents reviewed by BusinessWeek do not refer to any specific interference with operations of the Shuttle, which was aloft from July 26 to Aug. 9, or the Space Station, which orbits 250 miles above the earth.

The startling episode in 2005 added to a pattern of significant electronic intrusions dating at least to the late 1990s. These invasions went far beyond the vandalism of hackers who periodically deface government Web sites or sneak into computer systems just to show they can do it. One reason NASA is so vulnerable is that many of its thousands of computers and Web sites are built to be accessible to outside researchers and contractors. Another reason is that the agency at times seems more concerned about minimizing public embarrassment over data theft than preventing breaches in the first place.

In 1998 a U.S.-German satellite known as ROSAT, used for peering into deep space, was rendered useless after it turned suddenly toward the sun. NASA investigators later determined that the accident was linked to a cyber-intrusion at the Goddard Space Flight Center in the Maryland suburbs of Washington. The interloper sent information to computers in Moscow, NASA documents show. U.S. investigators fear the data ended up in the hands of a Russian spy agency.

Four years later, in 2002, an online intruder penetrated the computer network at the Marshall Space Flight Center in Huntsville, Ala., stealing secret data on rocket engine designs—information believed to have made its way to China, according to interviews and NASA documents. At about the same time a British hacker, whom the U.S. is now trying to extradite, allegedly prowled through the digital innards of no fewer than five NASA installations.

In 2004 a cyber-trespasser who poked around NASA's Ames Research Center in Silicon Valley caused a panicked technician to pull the plug on the facility's supercomputers to limit the loss of secure data. Two years later, and well after the protracted incident at the Kennedy Space Center, top NASA officials were tricked into opening a fake e-mail and clicking on an infected link that compromised computers at the agency's Washington headquarters.

The headquarters fiasco in 2006 led to the drafting of an internal memo by NASA's Inspector General, Robert W. Cobb, in which he said the perpetrators appeared to have ties to those who earlier had gotten into other agency facilities. "The scope, sophistication, timing, and hostile characteristics of some of the intrusions indicate they are coordinated or centrally managed," Cobb said in the previously undisclosed Nov. 3, 2006, memo.

The intrusions haven't ceased. In 2007 the Goddard center was again compromised. This time the penetration affected networks that process data from the Earth Observing System, a series of satellites that enable studies of the oceans, land masses, and atmosphere. Inspector General Cobb issued another report, this one public, on Nov. 13, 2007: "Our criminal investigative efforts over the last five years confirm that the threats to NASA's information are broad in scope, sophisticated, and sustained."

The agency refers internally to its efforts to stop intrusions linked to China under the code name "Avocado," according to interviews. Despite this formal recognition of the problem, at least some senior NASA officials have seemed determined publicly to minimize the seriousness of the security threat.

Cobb and other top officials declined to comment in any detail for this article. NASA Deputy Administrator Shana L. Dale said in a statement to BusinessWeek that discussing cyber-threats "could potentially jeopardize the agency's information technology security and, in some cases, violate federal law....NASA aggressively works to protect its information assets with measures that include installing new technology, increasing investigative resources, heightening employee awareness, and working with other federal agencies."

Former government officials are more forthcoming. "The space race is back," says John W. McManus, referring to alleged foreign efforts to hijack American knowhow. McManus, chief technology officer at NASA from 2003 through 2006, adds: "If another country can break in and steal information about rocket motors or fuel systems, well, that's billions of dollars that can be spent elsewhere" by the other nation. Howard A. Schmidt, a technology consultant who served as a White House special adviser on cyber-security from 2001 to 2003, concurs. "All indications are that the attacks are coming in from China," he says, "and the data is being exfiltrated out to China." Suspicions of a trail of stolen digital information leading to Taiwan and possibly on to China so far haven't translated into criminal charges, however.

Philip Shih, a Washington-based spokesman for Taiwan, says that in response to questions from BusinessWeek, Taipei has launched an investigation into whether the rogue stame.exe program that penetrated the Kennedy Space Center was controlled from computers of a Taiwan plastics company. Taiwan suspects its nemesis, China, is behind the intrusions, Shih adds. "We can't yet say it's definitely from China, but it's probably them. They use us for cover for their activities."

The Chinese government disavows any such cyber-espionage. "China will never do anything to harm the sovereignty or security of other countries," says Wang Baodong, a spokesman for the Chinese Embassy in Washington. "The Chinese government has never employed, nor will it employ, so-called civilian hackers in collecting information or intelligence of other countries."

The Russian Embassy similarly says Moscow has had nothing to do with online spying. "Russia denies any involvement in the intrusions [at NASA]," says Yevgeniy Khorishko, a Russian Embassy spokesman.

Boeing and Lockheed declined to comment.

As part of a yearlong look at high-tech security threats to U.S. weapon systems and government and defense industry computer networks, BusinessWeek interviewed more than 100 current and former government employees, defense industry executives, and people with ties to U.S. military and intelligence agencies. (See "E-spionage," Cover Story, Apr. 21, 2008, and "Dangerous Fakes," Cover Story, Oct. 13, 2008.) NASA was frequently identified as susceptible to attack.

"We've been repeatedly compromised," says a former NASA official who describes an ongoing attempt by the government and major security contractors such as Boeing, Lockheed, SAIC, (SAI) and Booz Allen Hamilton to defend the space agency's networks. Sophisticated digital thieves routinely creep past traditional defenses such as electronic firewalls and antivirus software. Cloaking their identities, they can remotely install code—the instructions telling computers what to do—on a seemingly protected machine. The code might maintain a tunnel into a system for later exploitation or replicate malicious instructions that open additional pathways for unauthorized access. These programs also can send streams of sensitive data to destinations thousands of miles away. "We've lost information related to some of our missions, engineering designs, and research," says the former NASA official. "Every time we shift what we're doing, [the intruders] shift what they're doing."

NASA has known it has a security problem for more than a decade. In an October 1998 internal memo, the agency's administrator at the time, Daniel S. Goldin, warned subordinates that "the threat to NASA's information technology assets is increasing, and the number of attacks is growing along with the sophistication of the perpetrators and their tools." Goldin pleaded with the agency's semi-autonomous research and operational units to report all IT security incidents to headquarters. Many units still keep the information to themselves, according to other documents and interviews.

EARLY WARNING

By early 1999 the volume of intrusions had grown so worrisome that Thomas J. Talleur, the most senior investigator specializing in cyber-security in the Inspector General's office at NASA, wrote a detailed "network intrusion threat advisory." Talleur described the sly tactics behind a particularly virulent series of attacks on agency networks, which he said had been perpetrated by Russians. Titled "Russian Domain Attacks Against NASA Network Systems" and marked "For Official Use Only—No Foreign Dissemination," Talleur's Jan. 18, 1999, advisory was sent to the U.S. Army, the Secret Service, the FBI, the CIA, and the National Security Agency.

The 26-page advisory explained how, starting in May 1997, virtual intruders masking themselves and their IP addresses slipped undetected into networks at the Goddard center, a hub of space science activity. The trespassers penetrated computers in the X-ray Astrophysics Section of a building on Goddard's campus, where they commandeered computers delivering data and instructions to satellites. Before being discovered, the intruders transferred huge amounts of information, including e-mails, through a series of stops on the Internet to computers overseas. The advisory stated: "Hostile activities compromised [NASA] computer systems that directly and indirectly deal with the design, testing, and transferring of satellite package command-and-control codes"—in other words, computerized instructions transmitted to spacecraft.

In July 1998, a month after the discovery of the breach at Goddard, the U.S. Justice Dept. approved electronic monitoring of the illicit transmissions. That allowed a team of agents from NASA, the FBI, and the U.S. Air Force Office of Special Investigations to follow the trail of what they concluded was a criminal hacking ring with dozens of Internet addresses associated with computers near Moscow. The investigators made an even more alarming discovery, according to people familiar with the probe: The cyber-crime ring had connections to a Russian electronic spy agency known by the initials FAPSI. None of this has ever been made public, and BusinessWeek could not independently corroborate the Russian ties.

The investigators' findings became of far greater concern in September 1998. Without warning one day, the ROSAT satellite turned, seemingly inexplicably, toward the sun. The move damaged a critical optical sensor, rendering the satellite useless in its mission of making X-ray and ultraviolet images of deep space. NASA announced in a press release that ROSAT had been "accidentally scanning too closely to the sun." Talleur's report concluded otherwise.

The "accident," he noted, had been "coincident with the intrusion" into the Goddard system controlling it. Why would Russians want to cripple a satellite beloved worldwide by students of pulsars and supernovas? "Operational characteristics and commanding of the ROSAT were sufficiently similar to other space assets to provide intruders with valuable information about how such platforms are commanded," Talleur's advisory said. Put differently, manipulating ROSAT could teach an adversary how to toy with just about anything the U.S. put into the sky.

Talleur, now 59, retired in December 1999, frustrated that his warnings weren't taken more seriously. Five months after his advisory was circulated internally, the Government Accountability Office, the investigative arm of Congress, released a public report reiterating in general terms Talleur's concerns about NASA security. But little changed, he says in an interview. "There were so many intrusions and hackers taking things we had on servers, I felt like the Dutch boy with his finger in the dike," he explains, sitting on the porch of his home near Savannah, Ga. On whether other countries are behind the intrusions, he says: "State-sponsored? God, it's been state-sponsored for 15 years!"

Huntsville, Ala., known as Rocket City, is home to the Marshall Space Flight Center, where the famous "rocket boys"—former Nazis led by Wernher von Braun—helped U.S. engineers design ballistic missiles. Today, data stored on computers at the Marshall campus constitute one of the richest lodes of high-tech secrets anywhere in the world.

Around the clock for four days in June 2002, a prowler methodically probed enormous volumes of proprietary information at Marshall, according to NASA documents. The electronic intruder, without setting foot anywhere near Rocket City, gained access to servers handling sensitive work on new versions of the Delta and Atlas rockets that power intercontinental missiles, enhancements of the Shuttle's main engines, and Lockheed's F-35 Joint Strike Fighter, an advanced fighter jet that remains in development.

Had anyone been monitoring the Marshall computer networks in real time, the suspicious activity, automatically recorded on logs, would have been "immediately evident," NASA investigators concluded, according to a Dec. 11, 2002, report to top NASA executives. "In essence," said another internal report to NASA management on Mar. 26, 2003, "Marshall had locked up the card catalog, but left the library doors wide open."

Special agents from NASA's Office of Security, the Inspector General's office, and the Pentagon's Defense Criminal Investigative Service investigated the Marshall incident, but charges were never filed. NASA documents show that suspicion focused on Rafael Nuñez Aponte, a self-described former member of an international hacker gang known as World of Hell. Nuñez, a Venezuelan national, called himself "RaFa" in online postings. He spent seven months in U.S. prison in 2005 as punishment for defacing an Air Force training Web site in 2001. He headed home to Caracas in 2005.

According to documents from NASA's investigation of the Marshall intrusion, Nuñez in 2002 initially confessed to being directly involved in the incident. But then he changed his story two weeks later. Trying to distance himself from the crime, he told investigators he had obtained NASA files from hackers in France, an assertion he repeated during a phone interview with BusinessWeek this October. Nuñez, now 29, says rival hacking gang members in France had impersonated him while breaking into NASA's computer system. "I was involved with the Air Force attack, but some French hackers were behind the NASA one," he said. "The French were trying to pin it on me. That's very common in the hacker world."

U.S. authorities refused to discuss the case, saying it involves an ongoing investigation and, possibly, other suspects. Two people familiar with the probe said it focuses on the delivery of material to the Chinese government, perhaps by intermediaries in Europe, but they declined to be specific.

The secrets from Marshall could have helped the Chinese design engines and fuel to lift heavier loads beyond the atmosphere, according to NASA documents. Investigative case files prepared for a federal grand jury following the Marshall intrusion, and reviewed by BusinessWeek, include information from the statement of an unidentified witness under the heading "Allegations of Sale to a Foreign Government." But BusinessWeek couldn't corroborate the alleged Chinese ties or determine whether a